Dealing with Patch Management in Common Criteria – Lesson Learned from Study Period in SC27 WG3 (S30c)

Dealing with Patch Management in Common Criteria – Lesson Learned from Study Period in SC27 WG3 (S30c)

The responsibility for updating Common Criteria has been transferred from CCDB to SC27 WG3. Several major changes are in progress in ISO 15408 including addition of new topics as patch management. As rapporteur of study period dedicated to patch management for ISO 15408, the speaker will explain the different challenges to face to include such topic in new release of ISO 15408. More specifically, the presentation will detail how currently this topic is addressed in several technical domains and associated protection profiles, and will then summarize how the following points will be addressed:
a) What vocabulary to use to describe certified TOE and TOE with patch(es),
b) What security objectives and SFR to cover TOE patch features,
c) What security objectives and SFR to cover additional code features,
d) What security objectives and SAR to cover a Patch Development Process,
e) What security objectives and SAR to cover a Patch Deployment Process.
The presentation will conclude with a look at potential impacts on further evaluations.

About ICCC

The International Common Criteria Conference is produced by Cnxtd Inc. Event Media Services and presented with the support of the Common Criteria Users’ Forum. The CCUF provides a voice and communications channel between the CC community and the Common Criteria organizational committees, CCRA member organizations (national schemes), and policy makers. Join the CCUF at www.ccusersforum.org